Next Seminar

IIDI News

ComputingNapier Tweets

Professor Outlines Risks Exposed by Home Depot Hack

22/09/2014

Professor Bill Buchanan has outlined the details of the Home Depot Hack here. and which has possibly exposed over 56 million credit and debit card details.

Introduction

The
risks around intruders stealing passwords and credit cards show no
signs of abating, with the new announcement that Home Depot
point-of-sale points had a malware agent installed on them and which
could have resulted in over 56 million credit and debit
cards details being stolen. The Home Depot looks to have increased on
the recent Target hack which exposed an estimated 40 million cards.
Overall the main problem seems to be that companies have setup a whole
lot of back-end defences, but have forgotten that once the intruder has a
touch-point in the network, they can often go undetected.

Home Depot exploit

For the Home Depot exploit, the hackers installed malware at the
point-of-sale, and which was similar to the recent Target back, in order
to gather collect customer data from their cash registers. It is likely
that this ran from April 2014 to the beginning of September 2014,
before it was finally detected. The company have just annouched that it
has now made sure that they have gotten rid of the malware, but this is
no defence against the customers who have already had their credit card
details compromised.

The lesson learnt must be to try and reduce the time it takes to
detect a threat, and quickly respond to it. So as the back-end financal
services become more security, hackers will focus more on the
point-of-sale, and thus retailers such as Home Depot need to spend more
effort detecting exploits, as much as they do on data protection.

Overall it is expects that the breach will cost Home Depot at least
$62 million, showing that money spent on detection and prevention in
security is often a good investment. A brand can also be damaged with a
loss of respect by customers. The hack, for example, against the Sony
PlayStation Network is thought to have cost Sony $170 Million in direct
costs, and led to major damage on their brand.

History repeats with a new Target

The Home Depot hack is likely to be greater that the preceding Target
hack, which resulted in a large number of credit and debit card
appearing on the credit card clearing house site: rescator.cc . From the
Target attack, there have been batches defined as “American Sanctions”
and “European Sanctions”, and some speculate that it was retribution on
penalties imposed by the West on Russia for their actions in Ukraine.

Stolen card data on Rescator.cc (Figure 1) can
command prices up to $100 for each credit card details, and it has
become one of the largest clearinghouse for breaches, with many hundreds
of thousands of cards being sold in a single batch. It can be seen from
the meta details from the site, that they buy and sell credit card
details, including CVV details:

Conclusions

The “shooting fish in a barrel” analogy seems flippant, but it can be
seen that as the defences have toughened up on the back-end, the real
risk is now at the front-end, which is exposed to a range of
environments. If each credit card detail is worth up to $100, there is
thus a lucrative market out there to find new ways to shoot the fish.

Associated people

Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.